To be precise, as you already noted, the repository is not encrypted, recovery points are. As such, as you mentioned, after enabling an encryption key for specific agents, new base images are needed. The best solution, in my opinion, is taking advantage of the archiving capabilities or RR by archiving some recovery chains in stages (for those who are not aware, RR 6+ archives are mountable as Read Only Repositories) and start fresh with encrypted recovery chains. When the retention period expires, the archives can be discarded and the media used for archiving other unencrypted recovery chains. thus increasing the available repository space for encrypted chains. This approach may take some time though...